[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svnserve password store in clear text

From: Mark Phippard <MarkP_at_softlanding.com>
Date: 2004-06-04 15:02:13 CEST

"Ng, Wey Han" <weyhan.ng@atosorigin.com> wrote on 06/03/2004 11:20:08 PM:

>
> I have and Apache is not an option. I am not a developer and not an
> administrator. I was put into the position to setup a subversion server
> because of office politics. So the subversion server is a stand alone
server
> and will not have the users account in the box. I do not feel the need
to
> give shell access to all the developers using subversion. svnserve
actually
> fulfill all of my needs except for one, which is password stored as
clear
> text in passwd file.
>
>
> User management need not be complicated. I have in fact written a cgi
script
> for the user to change their password over the web and it is simple.
>

I do not really understand how serving up your repository would involve
office politics? It sounds like you have control over this server and you
have clearly already setup some sort of web server on this server. Why
can't Apache just serve the repository? Generally, using HTTP and SSL
would be an easier sell in most organizations. Normally, the resistance
to using Apache is setting it up on the server in the first place. Once
you are using Apache you can use whatever user and password system you
want.

>> They enter that hash rather than their plaintext password the one time
>> that svn asks them for it, and voila, everything works.
>>
>> As an added benefit, they can use whatever hash function they want!
>
> NO! :) It's hard enough to get people to use better password, getting
them
> to enter a hash password is going to be hell.

I do not understand this one either. Your users do not want to give you
plain text passwords, and you have said you do not want to receive them,
why can't your users be instructed to make a hash of their password and
give you the hash? That seems to solve the problem and is relatively easy
to do. Users that do not care can use plain text passwords.

In your own proposal, this is step 1:

> 1. The server store standard hashed password in the password file (Yes,
I
> know it is crackable but I am not too concern about security. If I am, I
> will be using the other method to access the server).

So how does your server get the hashed passwords to store if you are not
willing to do that? If you are willing, then why do you need to do
anything else?

Just trying to understand ...

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jun 4 15:04:36 2004

This is an archived mail posted to the Subversion Dev mailing list.